b'Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\xc2\xa0\n\n\n\n   Independent Evaluation Report of\n   FMC\xe2\x80\x99s FY 2009 Implementation of\n               FISMA\n               A10-02\n\n\n\n\n           January 2010\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                            FEDERAL MARITIME COMMISSION\n                                   Office of Inspector General\n                                Washington, DC 20573-0001\n                                        January 28, 2010\n\n\nOffice of Inspector General\nChairman Lidinsky:\nThe Office of Inspector General (OIG) has completed its independent evaluation of information\nsecurity pursuant to requirements contained in the Federal Information Security Management\nAct (FISMA) of 2002. This is the seventh annual evaluation completed by the OIG in the area of\ninformation and computer security.\nAs you already know, last year the Office of Information Technology (OIT) sought the\nassistance of an outside contractor to perform a comprehensive assessment of its information\nsecurity posture. The OIT received significant funding to address the identified weaknesses and\nvulnerabilities in its security program. However, this year, at the direction of the Chief\nInformation Officer, the agency\xe2\x80\x99s contracting officer issued a stop work order after two of four\nsystems were certified and accredited. The CIO concluded that the agency would be better off\nscrapping the two remaining systems and procuring an \xe2\x80\x9coff-the-shelf\xe2\x80\x9d system that works better\nand saves the agency money in the long run.\nThe OIG did not review that decision as part of this security evaluation. Rather, we focused the\nevaluation on the two systems that were certified and accredited. As of the date of issuance of\nour report, the two systems that did not undergo security accreditation are in production.\nThe OIG contracted with Richard S. Carson and Associates to perform the independent\nevaluation of the FMC security program. The objectives of the independent evaluation of the\nFMC information security program were to:\n   1. Assess compliance with FISMA and related information security policies, procedures,\n      standards and guidelines;\n   2. Perform an external network scan from an IP address outside FMC to identify\n      vulnerabilities that would permit unauthorized access to agency resources and databases\n      (open ports, missing patches, default or missing passwords, etc.);\n   3. Review management actions to implement prior-year OIG recommendations; and\n   4. Evaluate the effectiveness of the work completed by the OIT contractors.\nThe evaluation found that the FMC has taken concrete steps to protect the agency\xe2\x80\x99s systems \xe2\x80\x93\nmost important is the accreditation of its Network and SERVCON applications - and has made\nprogress in mitigating weaknesses which led to the prior year\xe2\x80\x99s significant deficiency concerning\nIT risk and recovery planning. A significant deficiency is a weakness in an agency\xe2\x80\x99s overall\ninformation systems security program that restricts the capability of the agency to carry out its\n\x0cmission or compromises the security of its information, information systems, personnel,\noperations or assets. The firewall is secure; attempts to penetrate firewall defenses by the\nevaluation team from a remote location were unsuccessful. Moving forward, the CIO appears to\nhave a plan for securing information resources inside the firewall even as the agency updates its\nIT infrastructure.\nOn the other hand, the FMC lacks (i) a comprehensive configuration management program and\ntechnical privacy controls required by OMB, (ii) an adequate Contingency Planning Program, to\ninclude policies, procedures, testing and documentation of testing, and (iii) an official system\ninventory. Further, the FMC Network Domain Administrator accounts are not monitored.\nI am encouraged by progress the agency has made to date and I support the CIO\xe2\x80\x99s decision to\nmove forward with a new content management system to replace older applications that were not\nFISMA compliant. Yet, much still needs to be done to provide basic assurances that information\nand information systems are secure.\nI want to thank OIT managers and staff for their assistance throughout our review. While we did\nnot always agree, I am confident that the CIO understands the extent of the work that lies ahead\nand has a strategy to address it. I am available to answer any questions you have about the\nreport.\n                                             Respectfully submitted,\n\n\n\n                                             /Adam R. Trzeciak/\n                                             Inspector General\n\n\nAttachment\n\n                                                \xc2\xa0\n\x0c                   \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                    Independent\xc2\xa0Evaluation\xc2\xa0Report\xc2\xa0\n\n\n\n\n            Review of Federal Maritime Commission\n                           Implementation of the\nFederal Information Security Management Act of 2002\n                             For Fiscal Year 2009\n\n\n\n\n                              November 18, 2009\n\n\n\n\n                           RICHARD S. CARSON & ASSOCIATES, INC.\n\n                                 http://www.carsoninc.com\n\n4720 Montgomery Lane \xe2\x80\xa2 Suite 800 \xe2\x80\xa2 Bethesda, MD 20814-3444 \xe2\x80\xa2 301.656.4565 \xe2\x80\xa2 Fax: 301.656.4806\n\x0cFINAL                                              Independent Evaluation of FMC Information Security Program\n\n\n                                                      TABLE\xc2\xa0OF\xc2\xa0CONTENTS\xc2\xa0\n1.\xc2\xa0 BACKGROUND ............................................................................................................ 1\xc2\xa0\n2.\xc2\xa0 OBJECTIVES ............................................................................................................... 1\xc2\xa0\n3.\xc2\xa0 SCOPE AND METHODOLOGY ........................................................................................ 1\xc2\xa0\n4.\xc2\xa0 DETAILED FINDINGS AND RECOMMENDATIONS .............................................................. 3\xc2\xa0\n      4.1\xc2\xa0Agency Implementation of FISMA \xe2\x80\x93 FY 2008 Follow-up ............................................ 3\xc2\xa0\n\n           Notification of Finding # 1: Configuration Management Documentation is not\n           adequate. ........................................................................................................................ 4\xc2\xa0\n\n           Notification of Finding # 2: The FMC does not fully comply with Security\n           Requirements of OMB Memorandum M-07-16. ........................................................... 6\xc2\xa0\n\n      4.2\xc2\xa0Agency Implementation of FISMA \xe2\x80\x93 FY 2009 Review................................................. 7\xc2\xa0\n\n           Notification of Finding # 3:\xc2\xa0 Deficiencies with the FMC Certification and\n           Accreditation (C&A) packages for the FMC Network and SERVCON exist. ............. 8\xc2\xa0\n\n           Notification of Finding # 4: The FMC lacks an adequate Contingency Planning\n           Program, to include policies, procedures, testing and documentation of testing.\n           ....................................................................................................................................... 14\xc2\xa0\n\n           Notification of Finding # 5: The FMC does not have an official system inventory.\n           ....................................................................................................................................... 15\xc2\xa0\n\n           Notification of Finding # 6: The FMC Plan of Action & Milestones process needs\n           improvement. ............................................................................................................... 17\xc2\xa0\n\n           Notification of Finding # 7: The FMC Network Domain Administrator accounts are\n           not appropriately segregated and monitored. .......................................................... 18\xc2\xa0\n\n\n\n\n                                                                        i                                             November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n\n\n1. BACKGROUND\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public\nLaw 107-347), which includes Title III, the Federal Information Security Management Act of\n2002 (FISMA). FISMA permanently reauthorized the framework laid out in the Government\nInformation Security Reform Act of 2000 (GISRA), which expired in November 2002, and\noutlines information security management requirements for agencies, including the requirement\nfor annual review and independent assessment by agency inspectors general (IG). In addition,\nFISMA includes provisions aimed at further strengthening the security of the federal\ngovernment\xe2\x80\x99s information and information systems, such as the development of minimum\nstandards for agency systems. The annual assessments provide agencies with the information\nneeded to determine the effectiveness of overall security programs and to develop strategies and\nbest practices for improving information security.\n\n\n2. OBJECTIVES\n\nThe objectives of the independent evaluation of the FMC information security program are as\nfollows:\n   1. Evaluate Information System & Security Program: Assess compliance with FISMA and\n      related information security policies, procedures, standards and guidelines using criteria\n      and methodologies contained in the Government Accountability Office\xe2\x80\x99s (GAO) Federal\n      Information System Controls Audit Manual (FISCAM), National Institute of Standards\n      and Technology (NIST) Information Processing Standards and Special Publications (SP)\n      and OMB guidance. The scope of this task is the FMC Network and SERVCON.\n   2. Perform Vulnerability Scan: Perform an external network scan from an address outside\n      FMC to identify vulnerabilities associated with hardware and software installed facing\n      the Internet (open ports, missing patches, default or missing passwords, etc.).\n   3. Evaluate Responses to Prior Recommendations: Review management actions to\n      implement OIG recommendations.\n   4. Review Progress of Security Program: Perform an independent review of the FMC\xe2\x80\x99s\n      progress in implementing an effective information security program as it pertains to the\n      tasks performed by the OIT contractors.\n\n3. SCOPE AND METHODOLOGY\n\nThe scope of this independent evaluation of the FMC fiscal year (FY) 2009 information security\nprogram included the following:\n   \xe2\x80\xa2    Overall Security Program Implementation\n   \xe2\x80\xa2    C&A Process and package reviews of the FMC Network and SERVCON\n\n\n                                               1                             November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n   \xe2\x80\xa2    Configuration Management\n   \xe2\x80\xa2    Contractor Oversight\n   \xe2\x80\xa2    Contingency Planning and Testing\n   \xe2\x80\xa2    POA&M Process\n   \xe2\x80\xa2    Security Awareness Training\n   \xe2\x80\xa2    Incident Response\nTo accomplish the review objectives, the OIG conducted interviews with Office of\nAdministration (OA) staff, including the Chief Information Officer (CIO); Office of Information\nTechnology (OIT) staff, including the Director of Information Technology and the Senior\nInformation System Security Officer (ISSO); the Office of the Secretary (OS), including the\nDeputy Secretary; the Office of the General Counsel (OGC) staff, including the Senior Agency\nOfficial for Privacy (SAOP); and other FMC personnel.\nThe team reviewed documentation provided by the FMC including C&A documentation, privacy\nimpact assessments and information security-related policies.\nAll analyses were performed in accordance with the following guidance:\n   \xe2\x80\xa2    Federal Information Security Management Act of 2002 (Public Law 107-347), December\n        2002\n   \xe2\x80\xa2    Office of Management and Budget (OMB) Memorandum M-09-29, FY 2009 Reporting\n        Instructions for the Federal Information Security Management Act and Agency Privacy\n        Management, July 14, 2007\n   \xe2\x80\xa2    OMB Circular A-130, Transmittal Memorandum No. 4, Management of Federal\n        Information Resources, November 18, 2000\n   \xe2\x80\xa2    Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for\n        Security Categorization of Federal Information and Information Systems, February 2004\n   \xe2\x80\xa2    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18,\n        Revision 1, Guide for Developing Security Plans for Information Technology Systems,\n        February 2006\n   \xe2\x80\xa2    NIST SP 800-53, Revision 2, Recommended Security Controls for Federal Information\n        Systems, December 2007\n   \xe2\x80\xa2    NIST SP 800-30, Risk Management Guide for Information Technology Systems, July\n        2002\n   \xe2\x80\xa2    NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, June\n        2002\n   \xe2\x80\xa2    NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n        Information Systems, May 2004\n\n                                               2                            November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n   \xe2\x80\xa2    Quality Standards for Inspection issued in 2003 by the President\xe2\x80\x99s Council on Integrity\n        and Efficiency\n   \xe2\x80\xa2    President\xe2\x80\x99s Council on Integrity and Efficiency and the Executive Council on Integrity\n        and Efficiency FISMA Framework, September 2006\n   \xe2\x80\xa2    FMC/OIG audit guidance\n   \xe2\x80\xa2    FMC policies and procedures\nThe OIG performed fieldwork between June 8, 2009, and September 30, 2009, at the FMC\nheadquarters in Washington, DC.\n\n\n4. DETAILED FINDINGS AND RECOMMENDATIONS\n\nThe FMC has taken steps to enhance its information security program and address issues\nidentified in the 2006, 2007 and 2008 FISMA reports, including the following:\n\n   \xe2\x80\xa2    Creating Certification and Accreditation (C&A) packages for the FMC Network and\n        SERVCON.\n   \xe2\x80\xa2    Implementing and monitoring the annual computer security awareness program, to\n        include providing an interactive online course with a required assessment for all\n        employees at completion. All FMC staff and contractors (with the exception of one FMC\n        employee on maternity leave whose account has been disabled) completed annual\n        computer security awareness training by the end of FY 2009.\n   \xe2\x80\xa2    Performing contractor system oversight to ensure the information systems meet\n        government policies and regulations.\n   \xe2\x80\xa2    Updating the Incident Response Policy to include breach-related procedures from OMB\n        Memorandum M-07-16.\n   \xe2\x80\xa2    Taking steps to implement a POA&M process.\n   \xe2\x80\xa2    Appropriately sanitizing media to prevent disclosure of sensitive information when\n        disposing or recycling media within the agency.\n\n4.1 Agency Implementation of FISMA \xe2\x80\x93 FY 2008 Follow-up\n\nDuring FY 2008 and 2009, the OIT hired an IT security consulting firm (the contractor) to\nperform an inventory of its (OIT) information security program. The results of this inventory\nwere presented to OIT in the \xe2\x80\x9cSecurity Compliance Status Report.\xe2\x80\x9d OIT, with assistance from the\ncontractor, used the report results to restructure the agency\xe2\x80\x99s information security program and\ncreate C&A documentation for two of the FMC\xe2\x80\x99s four information systems. FMC\xe2\x80\x99s Contracting\nOfficer issued a stop work order after completion of the FMC Network and SERVCON C&A\npackages because FORM-1 and FMC-18 were \xe2\x80\x9cnot ready for C&A.\xe2\x80\x9d According to OIT, the\nsystems were developed prior to the installment of the current OIT management and policies. If\nC&A activities were conducted on FORM-1 and FMC-18, management would have to absorb an\n\n                                                3                            November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\nexorbitant amount of risk; therefore, the CIO decided that the agency would look into other\noptions. The OIG notes that FORM-1 and FMC-18 continue to operate in a production\nenvironment without any documented assessment and acceptance of risk to the organization;\nhowever, the FMC plans to develop and implement an enterprise content management system\nthat would replace FORM-1 and FMC-18, complete with a C&A package. The FMC has selected\na contractor and is expected to complete the task by May 2010, in time for the OIG\xe2\x80\x99s FY 2010\nFISMA evaluation. Therefore, the focus for the FY 2009 FISMA evaluation is the completed\nC&A packages for the FMC Network and SERVCON only.\nThe OIG is required to report on the security posture of the agency as part of its FISMA\nevaluation. Recognizing that the contractor completed work on two of the four systems at the\nFMC, the OIG must still opine on the program as it existed during the review period. In our\nview, the agency has taken important steps by hiring a contractor to complete C&A packages for\ntwo of the four systems at the FMC and to provide the template for a fully functional IT security\nprogram. Without minimizing the importance of this foundation and acknowledging the effort\ninvolved to bring it about, we also note that in FY 2009 many of the elements of a mature, robust\nand comprehensive security program still did not exist at the FMC. However, we also note that\nthis condition is likely to change in FY 2010 with the implementation of the enterprise content\nmanagement system and remediation of the findings listed below.\n\n\nNotification of Finding # 1: Configuration Management Documentation is not\nadequate\n\nAccording to NIST, it is important to document proposed or actual changes to information\nsystems and to subsequently determine the impact of those proposed or actual changes on the\nsystem\xe2\x80\x99s security. Information systems will typically be in a constant state of migration with\nupgrades to hardware, software, or firmware and possible modifications to the surrounding\nenvironment where the system resides. Documenting information system changes and assessing\nthe potential impact those changes may have on the security of the system is an essential aspect\nof continuous monitoring and maintaining the security accreditation.\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, dated August 2009, states that organizations shall:\n\n   \xe2\x80\xa2    Develop, disseminate and revive/update at an organization-defined frequency formal\n        documented configuration management policies and procedures that facilitate the\n        implementation of associated configuration management controls.\n   \xe2\x80\xa2    Develop, document and maintain a current baseline configuration of the information\n        systems.\n   \xe2\x80\xa2    Define, document and approve configuration changes to the system.\n   \xe2\x80\xa2    Analyze changes to the information system to determine potential security impacts prior\n        to change implementation.\n\n   \xe2\x80\xa2    Define, document, approve and enforce physical and logical access restrictions associated\n\n                                               4                             November 18, 2009\n\x0cFINAL                               Independent Evaluation of FMC Information Security Program\n\n        with changes to the information system.\n\n        \xe2\x80\xa2   The organization shall establish, document and implement mandatory configuration\n            settings for information technology products employed within the information system\n            using organization-defined security configuration checklists that reflect the most\n            restrictive mode consistent with operational requirements.\n        \xe2\x80\xa2   Identify, document and approve exceptions from the mandatory configuration settings\n            for individual components within the information system based on explicit\n            operational requirements.\n        \xe2\x80\xa2   Monitor and control changes to the configuration settings in accordance with\n            organizational policies and procedures.\n\n   \xe2\x80\xa2    Configure the information system to provide only essential capabilities and specifically\n        prohibit or restrict the use of organization-defined prohibited or restricted functions,\n        ports, protocols and/or services.\nNIST SP 800-70, Security Configuration Checklists Program for IT Products Guidance for\nChecklists Users and Developers, dated May 2006, provides approved security configuration\nchecklists for a variety of operating systems, Web browsers, firewalls, antivirus software and\nproductivity tools.\nOur review determined that the FMC has created a Configuration Management Policy,\nimplemented the Federal Desktop Core Configuration (FDCC) and created a \xe2\x80\x9cserver build\nchecklist;\xe2\x80\x9d however, a baseline configuration for the FMC Network and deviations from the\nbaselines are not documented.\nAdditionally, the SERVCON Technical Architecture document did not address security controls\nin sufficient detail to meet NIST guidelines. Specifically, more information should be provided\non what security baselines should be used, frequency of security baseline updates and steps to\nensure security baselines are being followed. The following sections were found to lack\nsufficient detail:\n\n   \xe2\x80\xa2    Portal requirements table\n\n   \xe2\x80\xa2    Cron and scheduled tasks table\n\n   \xe2\x80\xa2    User roles and groups tables\n\n   \xe2\x80\xa2    Firewall configuration and port allocation table\n\n   \xe2\x80\xa2    Document sign off\nDuring the vulnerability scans performed (as described in Section 4.3 below), two public devices\nwere identified in the FMC.gov public subnet of which the FMC was initially unaware. Upon\nfurther investigation, it was noted that the devices were a test machine and router outside the\nfirewall. Nevertheless, the OIG believes that proper documented configuration management and\ncontinuous monitoring would have identified the devices.\n\n                                                  5                           November 18, 2009\n\x0cFINAL                               Independent Evaluation of FMC Information Security Program\n\nThe FMC hired a contractor during FY 2008 and FY 2009 to create its IT security program;\nhowever, the Contracting Officer issued a stop work order after completion of the FMC Network\nand SERVCON C&A documentation. Through inspection of the documentation and interviews\nwith OIT staff, the OIG determined that OIT has not allocated the necessary resources to create a\nfully functional configuration management program. The effect of not having completed a\ncurrent and detailed configuration management program is that baseline security settings do not\nexist for the FMC systems. Additionally, without a baseline and documented deviations, it is\ndifficult to determine whether security settings are in place. This could make the systems\nvulnerable to hacking, computer viruses and other exploits.\nRecommendations\nWe recommend OIT:\n1. Complete the SERVCON configuration management documentation to include missing\n   sections (identified above). Additionally, confirm that the FMC Network and SERVCON\n   configuration management plans address the following sections in accordance with NIST SP\n   800-53, Revision 3:\n\n   \xe2\x80\xa2    Security control, port and firewall settings\n   \xe2\x80\xa2    Allowable and non-allowable services\n   \xe2\x80\xa2    Hardware and software requirements\n   \xe2\x80\xa2    Patches and service packs\n   \xe2\x80\xa2    System and application baselines and documentation of the deviations from the baselines\n\n2. Implement the NIST National Checklist Program and use a Security Content Automation\n   Protocol (SCAP) scanner to document deviations from the checklists.\n\n\nNotification of Finding # 2: The FMC does not fully comply with Security\nRequirements of OMB Memorandum M-07-16.\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, requires agencies to encrypt all data on mobile\ncomputers/devices carrying agency data; require two-factor remote access authentication; use a\n30-minute inactivity timeout function for remote access; log and verify all computer-readable\ndata extracts from databases holding sensitive information; and require all individuals with\nauthorized access to Personally Identifiable Information (PII) and their supervisors to sign, at\nleast annually, a document clearly describing their responsibilities.\nThrough observation of configuration settings, interviews and review of documentation, the OIG\nnoted the following weaknesses, which were also identified in the FY 2008 FISMA review:\n\n\n\n\n                                                 6                            November 18, 2009\n\x0cFINAL                                Independent Evaluation of FMC Information Security Program\n\n1. Encryption is not implemented on mobile computers and devices carrying agency data.\n      \xe2\x80\xa2   OIT reported that, \xe2\x80\x9cdue to the lack of sensitive information on these systems, it is not\n          anticipated that this recommendation will be implemented.\xe2\x80\x9d However, the OIG found no\n          evidence that compensating controls, the residual risk and management sign-off of\n          acceptance of this weakness, have been documented. Additionally, thumb drives that\n          were distributed to field office representatives are not FIPS 140-2 compliant 1 . Therefore,\n          the prior year recommendation is still open.\n\n2. Network Administrator remote-access connection does not implement a 30-minute inactivity\n   timeout.\n\n      \xe2\x80\xa2   Concerning follow-up in FY 2009 on this weakness, the agency has stated that \xe2\x80\x9cthe\n          Network Administrator\xe2\x80\x99s remote access connection cannot be set to time out as there is\n          no setting for this function, which was initiated on 12/15/04. Therefore, corrective action\n          under this recommendation is considered complete.\xe2\x80\x9d Again, the OIG noted that\n          compensating controls, the residual risk and management sign-off of acceptance of this\n          weakness have not been documented; therefore, the recommendation is still open.\nThe FMC informed the OIG that the conditions exist because the resources were not available to\nimplement new remote access hardware/software at the current time, but plans were made to\nupgrade the equipment in an upcoming hardware refresh. The OIG noted that FIPS 140-2\ncompliant thumb drives were purchased in prior years. However, after speaking with FMC\xe2\x80\x99s area\nrepresentatives, it appeared they were not being used. Without implementing the technical\nsecurity considerations of OMB Memorandum M-07-16, the FMC cannot ensure OMB\ncompliance and privacy data may be at risk for unauthorized exposure.\nRecommendations\nWe recommend OIT:\n3. Evaluate FMC mobile needs and implement FIPS 140-2 encryption on mobile computers and\n   portable devices carrying agency data.\n4. Configure the Network Administrator remote-access connection to require a 30-minute\n   inactivity timeout. If unable to complete, document the compensating controls, residual risk\n   and management acceptance of risk.\n4.2\n\n\n\n\n1\n  Federal Information Processing Standards Publication (FIPS) 140-2 defines the security\nrequirements for cryptographic modules, specifically, the levels and types of encryption to be\nused when processing information on Federal Government information systems.\n\n\n                                                   7                              November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n    Agency Implementation of FISMA \xe2\x80\x93 FY 2009 Review\nOMB Memorandum, M-09-29, FY 2009 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, contained slightly modified FISMA\nreporting guidance for FY 2009. The OIG evaluated the security program based upon these\nchanges and new requirements. As a result of these evaluations and review of the FMC Network\nand SERVCON C&A packages, additional vulnerabilities were noted.\n\nNotification of Finding # 3: Deficiencies with the FMC Certification and Accreditation\n(C&A) packages for the FMC Network and SERVCON exist.\n\nMemorandum M-09-29, Memorandum for Heads of Executive Departments and Agencies, states\nthat C&A is required for all federal information systems. Section 3544(b)(3) of FISMA discusses\n\xe2\x80\x9csubordinate plans for providing adequate information security for networks, facilities, and\nsystems or groups of information systems\xe2\x80\x9d and does not distinguish between major or other\napplications. Smaller \xe2\x80\x9csystems\xe2\x80\x9d and \xe2\x80\x9capplications\xe2\x80\x9d may be included as part of the assessment of\na larger system, as allowable in NIST guidance, provided an appropriate risk assessment is\ncompleted and security controls are implemented (OMB M-09-29, p. 11).\nMemorandum M-04-04, Memorandum to the Heads of All Departments and Agencies, states that\nagencies are required to review new and existing electronic transactions to ensure that\nauthentication processes provide the appropriate level of assurance. It establishes and describes\nfour levels of identity assurance for electronic transactions requiring authentication. Assurance\nlevels also provide a basis for assessing Credential Service Providers (CSP) on behalf of federal\nagencies. Memorandum M-04-04 assists agencies in identifying their e-government\nauthentication needs. Agency program officials bear the primary responsibility to identify\nassurance levels and strategies for providing them. This responsibility extends to electronic\nauthentication systems.\nAgencies shall determine assurance levels using the following steps, described in Section 2.3 of\nM-04-04:\n   1. Conduct a risk assessment of the e-government system.\n   2. Map identified risks to the applicable assurance level.\n   3. Select technology based on e-authentication technical guidance.\n   4. Validate that the implemented system has achieved the required assurance level.\n   5. Periodically reassess the system to determine technology refresh requirements.\nNIST Special Publication (SP) 800-37, Recommended Security Controls for Federal Information\nSystems, May 2004, states that a C&A package shall contain an approved security plan, a\nsecurity assessment report (ST&E) and a Plan of Action and Milestones (POA&M) (SP-800-37,\np. 21). Additionally, SP 800-37 states that the assessment of risk and the development of system\nsecurity plans are two important activities in an agency\xe2\x80\x99s information security program that\ndirectly support security accreditation and are required by FISMA and OMB Circular A-130,\n\n                                               8                             November 18, 2009\n\x0cFINAL                                 Independent Evaluation of FMC Information Security Program\n\nAppendix III (SP 800-37, p. 4). Documentation should be produced that describes the process\nemployed and the results obtained (SP 800-37, p. 5). SP 800-37 also states that system security\nplans can include as references or attachments other important security-related documents, such\nas risk assessments, contingency plans, privacy impact assessments, incident response plans,\nsecurity awareness and training plans, information system rules of behavior, configuration\nmanagement plans, security configuration checklists, privacy impact assessments and system\ninterconnection agreements (SP 80-37, pp. 5, 21).\nThe OMB Guidance M-06-20, Memorandum for Heads of Executive Departments and Agencies,\nstates that for all non-national security programs and systems, agencies must follow NIST\nstandards and guidance (OMB, M-06-20, p. 2).\nNIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information\nSystems, dated February 2006, requires the use of NIST SP 800-53 security controls in the\ndevelopment of the security plan (Section 3.14, pp. 24 - 25). Once the security controls are\nselected and tailored and the common controls identified, agencies are to describe each control.\nThe description should contain: (i) the security control title; (ii) how the security control is being\nimplemented or is planned to be implemented; (iii) any scoping guidance that has been applied\nand what type of consideration; and (iv) indicate if the security control is a common control and\nwho is responsible for its implementation (SP 800-18 Section 3.1.4, pp 24 - 25).\nNIST SP 800-30, Risk Management Guide for Information Technology Systems, dated July 2002,\ndifferentiates security testing and evaluation from automated vulnerability scanning and penetration\ntesting. The purpose of system security testing is to test the effectiveness of the security controls of a\nsystem as they have been applied in an operational environment. In contrast, the potential vulnerabilities\nidentified by automated scanning may not represent real vulnerabilities in the context of the system\nenvironment. Similarly, penetration testing is used to test the system from the viewpoint of a threat-source\nand to identify potential failures in the IT system protection schemes (Section 3.3.2, pp. 17 - 18).\n\nNIST SP 800-34, Contingency Planning for Information Technology Systems, dated June 2002,\nstates that recovery strategies provide a means to restore IT operations quickly and effectively\nfollowing a service disruption. The strategies should address disruption impacts and allowable\noutage times identified in the Business Impact Assessment (BIA). Several alternatives should be\nconsidered when developing the strategy, including cost, allowable outage time, security and\nintegration with larger organization-level contingency plans (Section 3.1, p. 19).\nFederal Information Processing Standards Publication 199 (FIPS PUB 199), Standards for\nSecurity Categorization of Federal Information Systems, February 2004, provides standards for\ncategorizing information and information systems. Security categorization standards for\ninformation and information systems provide a common framework and understanding for\nexpressing security that promotes: (i) effective management and oversight of information\nsecurity programs, including the coordination of information security efforts throughout the\ncivilian, national security, emergency preparedness, homeland security and law enforcement\ncommunities; and (ii) consistent reporting to the OMB and Congress on the adequacy and\neffectiveness of information security policies, procedures and practices. Subsequent NIST\n\n\n\n\n                                                    9                                November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\nstandards and guidelines will address the second and third tasks cited (Section 1, p. 1). Agency\nofficials shall use the security categorizations described in FIPS PUB 199 whenever there is a\nfederal requirement to provide such a categorization of information or information systems.\nAdditional security designators may be developed and used at agency discretion. State, local,\ntribal governments, as well as private sector organizations comprising the critical infrastructure\nof the United States may consider the use of these standards as appropriate (Section 2, p. 1).\nNIST SP 800-60, Guide for Mapping Types of Information Systems to Security Categories,\nVolumes I & II, August 2008, was developed to help agencies consistently map security impact\nlevels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor\nsensitive, trade secret, investigation); and (ii) information systems (e.g., mission-critical,\nmission-support, administrative). This guideline applies to all federal information systems other\nthan national security systems. National security systems store, process, or communicate national\nsecurity information (Section 1.1, p. 1).\nC&A Packages\nThe evaluation team reviewed packages for the FMC Network and SERVCON to determine if\nthe packages adhere to NIST SP 800-37 guidance. A review of the individual documents of each\npackage was then conducted to evaluate their compliance with other relevant NIST and OMB\nguidance. The C&A packages contained a privacy impact assessment, security plan, risk\nassessment and certification and accreditation statements; Plan of Action and Milestones\n(POA&M), FIPS 199 system categorization, contingency plan and system test and evaluation\nplan and report; and a configuration management plan (SERVCON only) and self-assessment.\nSecurity plans and certification and accreditation forms for these systems were provided\nseparately.\nThe review team concludes that the FMC Network and SERVCON packages were generally\ncompleted using NIST guidance. However we also identified minor instances of noncompliance\nwith NIST that could weaken the overall assurances of what the packages are intended to\nprovide. These deficiencies are detailed in the following sections:\nSecurity Plans\nWhile the FMC Network and SERVCON security plans were generally compliant with NIST SP\n800-18 guidance, review of the security plans found that sections of the security plans were\neither not completed or completed incorrectly. For example:\n\n   \xe2\x80\xa2    The security plans (and C&A packages) do not contain unique identifiers for each\n        system.\n   \xe2\x80\xa2    Certifying Agent (CA) and Designated Approving Authority (DAA) titles are not clearly\n        identified as required by NIST SP 800-37.\n   \xe2\x80\xa2    E-mail addresses for key personnel are not provided.\n   \xe2\x80\xa2    Minor applications are not identified, nor is there a statement indicating that there are no\n\n                                                 10                             November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\n        minor applications associated with the General Support System (FMC Network).\n   \xe2\x80\xa2    A list of user organizations was not provided. (This may not be an issue based upon the\n        size of the FMC, but there was no clear discussion of the user community.) Presently, this\n        section and related table identify switches, e-mail systems, firewalls and gateways used\n        by the applications.\n   \xe2\x80\xa2    There is no discussion of interconnections between systems. Specifically, there should be\n        a list of systems that share data between applications.\n   \xe2\x80\xa2    Security plans for systems processing privacy act information did not include the number\n        and title of the system(s) of record and whether the system(s) are used for computer\n        matching activities.\n   \xe2\x80\xa2    Common controls were not specifically identified, although common controls were\n        identified in the risk assessments.\n   \xe2\x80\xa2    Signature and date fields were blank on the approval sheets in the copies of the security\n        plans provided. Additionally, the names of personnel listed as the signatories did not\n        match the individuals who signed the C&A statements.\n\n\nRisk Assessments\n\nReview of the FMC Network and SERVCON risk assessments found that the risk assessments\nwere generally based upon SP 800-30 and addressed most of the areas covered by the guidance,\nincluding the risk assessment approach, system security categorization, threats and a detailed\nanalysis. The FMC Network risk assessment was completed on May 26, 2009, and the\nSERVCON risk assessment was completed on May 27, 2009. However, the following\nweaknesses were identified:\n\n   \xe2\x80\xa2    Accreditation boundaries for the risk assessment, which define the scope of the C&A\n        packages, were not clearly defined.\n   \xe2\x80\xa2    System and data owners were not clearly identified.\n   \xe2\x80\xa2    Parts of the documents were incomplete. Specifically, the System Management Roles\n        table and the System User Group and Access tables are incomplete in each risk\n        assessment. These tables list the roles and access levels for IT and other user groups in an\n        effort to keep them appropriately segregated.\n\n\nE-Authentication Risk Assessments\n\nSystems requiring e-authentication have not been identified, and e-authentication risk\nassessments have not been conducted on information technology systems. Additionally, due to a\nlack of documentation, we could not determine whether the agency has validated whether its\nsystems have operationally achieved the required assurance level as defined in NIST Special\nPublication 800-63.\n\n                                                 11                            November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\nC&A Letters\n\nReview of the C&A memoranda dated June 4, 2009, found that certification and authorization to\noperate statements for the FMC Network and SERVCON were contained in each document.\nHowever, the review found the following weaknesses:\n\n   \xe2\x80\xa2    The CIO is not clearly identified as the Designated Approving Authority.\n   \xe2\x80\xa2    The ISSO signed the certification statement as the \xe2\x80\x9cAuthorizing Official\xe2\x80\x9d instead of the\n        \xe2\x80\x9cCertifying Agent,\xe2\x80\x9d which would appear to be a conflict of interest.\n   \xe2\x80\xa2    The statement does not mention the contractors who operated as an independent\n        certification agent, under the role of the ISSO, as required by NIST SP 800-53 for\n        \xe2\x80\x9cmoderate\xe2\x80\x9d and \xe2\x80\x9chigh\xe2\x80\x9d categorized systems.\n\n\nPrivacy Impact Assessment (PIA)\n\nReview of the C&A packages provided by the FMC confirmed PIA assessments were completed\nfor the FMC Network and SERVCON. Review of the PIAs found that they described the PIA\nprocess, identified who is responsible for completing the PIA and when a PIA is required, and\ndescribed the Privacy Act requirements. Review of the assessment confirmed that personal\nidentifiers collected by each system were identified and addressed the PIA requirements. On the\nother hand, we noted that the PIA documents did not contain the following required information:\n\n   \xe2\x80\xa2    System of Records Number (SORN)\n\n   \xe2\x80\xa2    OMB unique system identifier\n\n   \xe2\x80\xa2    System Code\nWe also noted that the PIAs were not signed, and Section 3 of the PIA, Determination by the\nFMC Privacy Advocate, is incomplete. There is a section title, but no statement or signature from\nthe FMC Privacy Advocate to indicate whether the system PIAs have been approved.\n\n\nFIPS 199 Security Categorization\n\nThe security categorizations were not consistent across the FMC Network and SERVCON\ndocuments. Specifically, the security categorizations for the FMC Network and SERVCON did\nnot match the security categorizations listed in the POA&Ms.\n\n\nContingency Plans\n\nContingency plans were developed for the FMC Network (dated March 19, 2009) and\nSERVCON (dated March 18, 2009). Review of the completed FMC Network and SERVCON\ncontingency plans revealed that:\n\n\n                                                12                            November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n   \xe2\x80\xa2    Team leads and alternates are not identified for the FMC Network contingency plan.\n   \xe2\x80\xa2    The phone trees for the contingency plans are incomplete.\n   \xe2\x80\xa2    Contact information for team leads and team members is incomplete.\n   \xe2\x80\xa2    The contingency plans did not include service level agreements.\n   \xe2\x80\xa2    A Business/Mission Impact Analysis has not been completed for each system.\nThrough inspection of the documentation and interviews with staff, it appears that the contractor\ncompleted the C&A documentation to a satisfactory level. However, the documentation does not\nfully comply with NIST guidance. This outcome is likely the result of inadequate oversight of\nthe contractor\xe2\x80\x99s final deliverables. Without developing comprehensive C&A packages for the\nFMC Network and SERVCON, the FMC is unable to identify all of the security vulnerabilities\nassociated with operating its systems. Additionally, without the appropriate personnel formally\naccepting the risks of running these systems in the production environment, the FMC data and\nsystems may be vulnerable to potential unknown threats and will not be adequately safeguarded\nto prevent unauthorized use, disclosure and modification.\nRecommendations\nWe recommend OIT:\n\n5. Conduct security categorizations on the FMC Network and SERVCON in accordance with\n   FIPS 199 and NIST SP 800-60.\n6. Clearly identify the Certifying Agency, Designated Approving Authority and system owner\n   in the FMC Network and SERVCON security plans and C&A documentation in accordance\n   with NIST SP 800-37.\n7. Conduct complete risk assessments on the FMC Network and SERVCON. Define\n   accreditation boundaries. Ensure that risk assessments are complete in accordance with NIST\n   SP 800-30.\n8. Complete security plans for the FMC Network and SERVCON in accordance with NIST SP\n   800-18.\n9. Standardize security categorizations across the FMC and SERVCON C&A documents.\n\n10. Develop contingency plans for the FMC Network and SERVCON in accordance with NIST\n   SP 800-34 and NIST SP 800-53.\n11. Complete the FMC Network and SERVCON Authorization to Operate letters with the\n    correct information and titles.\n\n\n\n\n                                               13                            November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\n\nNotification of Finding # 4: The FMC lacks an adequate Contingency Planning\nProgram, to include policies, procedures, testing and documentation of testing.\nAccording to NIST SP 800-34, Contingency Planning for Information Technology Systems,\ndated June 2002, recovery strategies provide a means to restore IT operations quickly and\neffectively following a service disruption. The strategies should address disruption impacts and\nallowable outage times identified in the Business Impact Analysis. Several alternatives should be\nconsidered when developing the strategy, including cost, allowable outage time, security and\nintegration with larger organization-level contingency plans.\nThe selected recovery strategy should address the potential impacts identified in the BIA and\nshould be integrated into the system architecture during the design and implementation phases of\nthe system life cycle. The strategy should include a combination of methods that complement\none another to provide recovery capability over the full spectrum of incidents. A wide variety of\nrecovery approaches may be considered; the appropriate choice depends on the incident, type of\nsystem and its operational requirements. Specific recovery methods further described in Section\n3.4.2 should be considered and may include commercial contracts with cold-, warm-, or hot-site\nvendors, mobile sites, mirrored sites, reciprocal agreements with internal or external\norganizations and service level agreements (SLAs) with the equipment vendors. In addition,\ntechnologies such as Redundant Arrays of Independent Disks (RAID), automatic fail-over,\nuninterruptible power supply (UPS) and mirrored systems should be considered when\ndeveloping a system recovery strategy.\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, dated August 2009, states that organizations shall provide for the recovery\nand reconstitution of the information system to a known state after a disruption, compromise or\nfailure (SP 800-53, CP-10).\nThe FMC took part in the Federal Emergency Management Agency\xe2\x80\x99s (FEMA) Eagle Horizon\n2009 continuity mandatory exercise for all federal executive branch departments and agencies.\nThis test evaluated the accessibility and functionality of the FMC-18, e-mail, Registered Person\nIndex (RPI), CADRS\xe2\x80\x99 database, MSWord and Adobe in the event of a disruption. However,\nbased upon review of the contingency plans and documentation provided, the following\nweaknesses were noted:\n\n   \xe2\x80\xa2    The FMC does not have documented contingency planning policies and procedures for\n        identifying the frequency and types of tests and preparing and updating of contingency\n        documentation.\n\n   \xe2\x80\xa2    The SERVCON contingency plan was not tested.\n\n   \xe2\x80\xa2    The FMC Network contingency plan test (Eagle Horizon 2009) and results\n        documentation does not adequately test or document the FMC Network and SERVCON\n        contingency plans. This test focused on the FMC\xe2\x80\x99s e-mail, Adobe, Internet access, FMC-\n        18, Content Management System (CMS), RPI and CADRS\xe2\x80\x99 database. No information\n        was available to describe the scenario that was being tested. Testing appeared to\n        concentrate on determining if the applications were working and if e-mail could be sent\n\n                                               14                            November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\n        or the Internet could be accessed. Some test results were inconclusive (e-mail was sent\n        out requesting replies from the recipient, but no responses were received); however, no\n        recommendations or lessons learned were identified.\nThe FMC has not allocated the necessary resources to create a fully functional contingency\nplanning program, to include appropriate testing and documentation of the testing. Delays,\nconfusion and the potential introduction of vulnerabilities when recovering from a system failure\nare likely when contingency plans are incomplete and have not been tested. Not testing\ncontingency plans could result in errors or incorrect steps being embedded in the security plan,\nwhich could further hinder the recovery process.\n\nRecommendations\n\nWe recommend OIT:\n12. Develop a contingency plan policy and procedures that address the creation, review, testing\n    and maintenance of contingency plans.\n13. Test contingency plans and document results in accordance with NIST SP 800-34 and NIST\n    SP 800-53.\n\nNotification of Finding # 5: The FMC does not have an official system inventory.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, dated August 2009, control CM-8 requires that organizations develop,\ndocument and maintain an inventory of information system components that:\n\n   \xe2\x80\xa2    Accurately reflects the current information system.\n   \xe2\x80\xa2    Is consistent with the authorization boundary of the information system.\n   \xe2\x80\xa2    Is at the level of granularity deemed necessary for tracking and reporting.\n   \xe2\x80\xa2    Includes organization-defined information deemed necessary to achieve effective\n        property accountability.\n   \xe2\x80\xa2    Is available for review and audit by designated organizational officials.\nDuring FY 2009, OIT hired contractors to create a security program and to certify and accredit\nthe FMC\xe2\x80\x99s systems. The contractors distributed inventory forms to all the FMC departments to\nidentify the systems in operation. The returned forms became the \xe2\x80\x9cFMC inventory.\xe2\x80\x9d In addition\nto the FMC Network and SERVCON systems for which the contractor created C&A packages,\nthe forms were returned from each of the FMC departments and identified the following systems:\n\n   \xe2\x80\xa2    BEAA\n\n   \xe2\x80\xa2    BOE Index\n\n   \xe2\x80\xa2    e-agreements\n\n                                                 15                            November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\n   \xe2\x80\xa2    Form 1\n\n   \xe2\x80\xa2    Form 18 (FMC-18)\n\n   \xe2\x80\xa2    OIG\n\n   \xe2\x80\xa2    PIERS\n\n   \xe2\x80\xa2    SERVCON (External)\n\n   \xe2\x80\xa2    Training\nA complete inventory, in addition to simply identifying systems, must contain the following:\n\n   \xe2\x80\xa2    IT System ID\n\n   \xe2\x80\xa2    IT System interfaces\n\n   \xe2\x80\xa2    IT System boundary\n\n   \xe2\x80\xa2    IT System Operability and Agreements\n\n   \xe2\x80\xa2    IT System and Data Sensitivity\n\n   \xe2\x80\xa2    Overall IT System Sensitivity Rating\n\n   \xe2\x80\xa2    IT System Sensitivity Rating\n\n   \xe2\x80\xa2    Any indication as to whether the system is a GSS, major application or minor application\nThe OIG notes that other federal agencies annually query their business units on the IT systems\nthey are using or plan to use in the future, as well as identify IT systems that are used outside of\nthe agency. This information is then compiled by the IT department into an official documented\ninventory.\nThrough inspection of the documentation and interviews with OIT staff, it was determined that\nan inventory process had not been implemented at the FMC and that OIT staff was relying on\ndocumentation produced and distributed by the contractor. Further, this \xe2\x80\x9cinventory\xe2\x80\x9d was not\nvetted for accuracy and completeness by OIT or its contractor. Without documenting and\nimplementing an effective inventory process, the FMC management may not be aware of all the\nFMC systems in operation and, therefore, cannot fully realize the risk in the IT environment.\nRecommendation\nWe recommend OIT:\n14. Complete and maintain an official, documented system inventory of all the FMC systems and\n    interfaces.\n\n\n\n                                                 16                             November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\nNotification of Finding # 6: The FMC Plan of Action & Milestones process needs\nimprovement.\n\nIn Memorandum M-04-25, Memorandum for Heads of Executive Departments and Agencies,\nOMB requires agencies to prepare POA&Ms for all programs and systems where an IT security\nweakness has been found. The guidance directs CIOs and agency program officials to develop,\nimplement and manage POA&Ms for all programs and systems they operate and control (e.g.,\nfor program officials this includes all systems that support their operations and assets).\nAdditionally, program officials shall regularly (at least quarterly and at the direction of the CIO)\nupdate the agency CIO on their progress to enable the CIO to monitor agency-wide remediation\nefforts and provide the agency\xe2\x80\x99s quarterly update to OMB. M-04-25 also provides instructions on\nhow POA&Ms should be structured and maintained (M-04-25, pp. 14-15).\nBased on the documents reviewed, the FMC developed POA&Ms for the FMC Network and\nSERVCON. The POA&M documents contain the required elements as identified in OMB\nguidance. However, review of the POA&Ms noted the following weaknesses:\n\n   \xe2\x80\xa2    The POA&M process may not be implemented agency-wide.\n   \xe2\x80\xa2    The POA&M process may not be fully utilized.\nReview of the FMC Network and SERVCON POA&Ms found that POA&M action items\noriginated from various sources, such as system security plan findings, the Office of Equal\nEmployment Opportunity, OIG, Office of Operations, Office of Administration and the Office of\nFinancial Management. However, POA&Ms were not provided for all of the FMC applications.\nThe POA&M process has not been implemented agency-wide and may not incorporate all\nknown IT security weaknesses associated with information systems used or operated by the\nagency or by a contractor of the agency or other organization on behalf of the agency.\nThe OIG found that the POA&Ms for the FMC Network and SERVCON were not completed\nproperly and, therefore, the process may not be fully utilized. Review of the POA&Ms noted the\nfollowing weaknesses:\n\n   \xe2\x80\xa2    Sensitivity/criticality levels for the FMC Network and SERVCON systems did not match\n        sensitivity/criticality levels reported in FIPS 199 for the FMC Network and SERVCON.\n        The FIPS 199 security categorization for the FMC Network was reported as\n        High/High/High (corresponding to levels for confidentiality, integrity and availability\n        categories for each IT system, respectively); while, the POA&M identified it as\n        High/Moderate/High. The FIPS 199 security categorization for SERVCON was identified\n        as High/Moderate/High; while, the security categorization listed in the POA&M was\n        marked as Moderate/Moderate/Moderate in the SERVCON POA&M. Based on these\n        categorizations, the agency sets it controls and security of the information. Controls for\n        moderate systems are not as stringent as those for high risk systems.\n\n   \xe2\x80\xa2    ID numbers were not assigned to POA&M items for the FMC Network and SERVCON.\n\n   \xe2\x80\xa2    The sensitivity of the POA&M document was not printed on the document.\n\n\n                                                17                             November 18, 2009\n\x0cFINAL                              Independent Evaluation of FMC Information Security Program\n\n   \xe2\x80\xa2    Resources required to complete the task were not identified.\n\n   \xe2\x80\xa2    Milestones with completion dates were not identified.\nThrough inspection of the documentation and interviews with OIT staff, the OIG determined that\nOIT staff have utilized the FMC Network and SERVCON POA&Ms, but have not allocated\nsufficient resources to create an agency-wide POA&M process (i.e., a process that tracks\nvulnerabilities from various sources within the agency). Without an effective POA&M process,\nthe agency may not be able to easily identify and prioritize weaknesses or track the status of the\ncorrective actions being taken to resolve deficiencies identified. This could lead to vulnerabilities\nnot being corrected and the continued exposure of the FMC systems to higher levels of risk.\n\n\nRecommendations\n\nWe recommend OIT \xe2\x80\x93\n15. Develop an agency-wide POA&M process to include all systems that meet OMB\n    requirements.\n16. Complete the POA&M spreadsheets in accordance with current OMB and NIST guidance\n    and maintain evidence of the closure of each item.\n\n\nNotification of Finding # 7: The FMC Network Domain Administrator accounts are\nnot appropriately segregated and monitored.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\nand Organizations, dated August 2009, recommends that organizations shall:\n\n   \xe2\x80\xa2    Establish and administer privileged user accounts in accordance with a role-based access\n        scheme that: (a) organizes information system and network privileges into roles; and (b)\n        tracks and monitors privileged role assignments.\n\n   \xe2\x80\xa2    Employ the concept of least privilege, allowing only authorized accesses for users (and\n        processes acting on behalf of users) that are necessary to accomplish assigned tasks in\n        accordance with organizational missions and business functions.\n\n   \xe2\x80\xa2    Review and analyze information system audit records at an organization-defined\n        frequency for indications of inappropriate or unusual activity, and report findings to\n        designated organizational officials.\nSix members of the OIT staff, including one contractor and the ISSO, have the FMC Network\nDomain Administrator permissions on their user accounts. Additionally, a formal process for\nmonitoring user and privileged accounts, including the Domain Administrator account, is not\nimplemented.\nThe FMC informed the OIG that the conditions exist because the size of the OIT requires\nmultiple individuals to make changes to the FMC Network on a daily basis. The FMC also\n\n                                                 18                             November 18, 2009\n\x0cFINAL                             Independent Evaluation of FMC Information Security Program\n\ninformed the OIG that informal monitoring by the OIT Director is performed and, therefore, a\nformal monitoring process is not necessary. The OIG is not convinced that monitoring is not\nneeded based on OIT\xe2\x80\x99s rationale. Without appropriately limiting the access rights and monitoring\nusage of the FMC Network account(s), authorized and unauthorized changes to the network may\noccur without the necessary accountability, which may affect the overall confidentiality, integrity\nand availability of the system.\n\nRecommendations\n\nWe recommend OIT:\n17. Change the password of the FMC Network Domain Administrator account and physically\n    secure the password so that it is only available for authorized and documented network\n    changes and/or emergencies.\n18. Restrict the FMC Network Domain Administrator privileges to OIT staff whose job functions\n    require the access privileges; remove access for the ISSO to maintain segregation of duties.\n19. Document and implement policies and procedures (and if determined necessary hardware\n    and/or software) for the ISSO to monitor the actions of all the FMC Network users,\n    privileged users (super users) and domain administrator accounts.\n\n4.3 Vulnerability Scan\n\nThe OIG performed a vulnerability assessment on the FMC Network from external sources on\nOctober 6, 2009. The review was conducted using NIST SP 800-115, Technical Guide to\nInformation Security Testing and Assessment, September 2008, as methodology. It was noted\nthat no high-risk vulnerabilities were discovered. Completed scan results were provided to OIT\nmanagement immediately after our tests were concluded.\n\n\n\n\n                                                19                            November 18, 2009\n\x0cUNITED STATES GOVERNMENT                              FEDERAL MARITIME COMMISSION\n\n       Memorandum\n\nTO            : Inspector General                              DATE: January 26, 2010\nTHROUGH : /Director, Office of Administration/\nFROM          : CIO\nSUBJECT       : FISMA Audit 2009\nThis is in response to your recently provided FISMA audit report.\nNotification of Finding # 1: Configuration Management Documentation is not\nadequate\nRecommendation(s)\n\nWe recommend OIT:\n\n1. Complete the SERVCON configuration management documentation to include\n   missing sections (identified above). Additionally, confirm that the FMC Network and\n   SERVCON configuration management plans address the following sections in\n   accordance with NIST SP 800-53, Revision 3:\n\n\n     \xe2\x80\xa2 Security control, port and firewall settings\n\n     \xe2\x80\xa2 Allowable and non-allowable services\n\n     \xe2\x80\xa2 Hardware and software requirements\n\n     \xe2\x80\xa2 Patches and service packs\n\n     \xe2\x80\xa2 System and application baseline and documentation of the deviation from the\n       baselines\n\nManagement\xe2\x80\x99s Response\nFMC acknowledges finding # 1 recommendation 1; the SERVCON Technical\nArchitecture document did not address security controls in sufficient detail. Specifically,\nmore information should be provided regarding security control, port and firewall\nsettings, allowable and non-allowable services, hardware and software requirements,\npatches and service packs, on what security baselines should be used, frequency of\nsecurity baseline updates, and steps to ensure security baselines are being followed.\n\x0cFMC will follow the recommendation of the Office of the Inspector General by ensuring\nthat configuration management plans address the above referenced sections in\naccordance with NIST SP 800-53, Revision 3.\n2. Implement the NIST National Checklist Program and use a Security Content\n   Automation Protocol (SCAP) scanner to document deviations from the checklists.\n\nManagement\xe2\x80\x99s Response\nFMC will follow the recommendation of the Office of the Inspector General in regards to\nthe implementation of the NIST National Checklist Program and the utilization of a\nSecurity Content Automation Protocol (SCAP) scanner to document deviations from the\nchecklists.\n\n\nNotification of Finding # 2: The FMC does not fully comply with Security\nRequirements of OMB Memorandum M-07-16\nRecommendation(s)\nWe recommend OIT:\n3. Evaluate FMC mobile needs and implement FIPS 140-2 encryption on mobile\n   computers and portable devices carrying agency data.\nManagement\xe2\x80\x99s Response\nFMC acknowledges finding # 2 recommendation 3. FMC is in the process of identifying\na FIPS 140-2 compliant encryption solution to implement on mobile computers and\nportable devices carrying agency data.\n\n\n4. Configure the Network Administrator remote-access connection to require a 30-\n   minute inactivity timeout. If unable to complete, document the compensating\n   controls, residual risk and management acceptance of risk.\nManagement\xe2\x80\x99s Response\nFMC acknowledges finding # 2 recommendation 4. The FMC has stated that the\nNetwork Administrator\xe2\x80\x99s remote access connection cannot be set to time out, as there is\nno setting for this function. FMC will document the compensating controls, residual\nrisk, and provide management sign off of acceptance of this risk until corrected.\n\n\n\n\n                                          21\n\x0cNotification of Finding # 3: Deficiencies with FMC Certification and Accreditation\n(C&A) packages for FMC Network and SERVCON exist\nRecommendation(s)\nWe recommend OIT:\n5. Conduct security categorizations on the FMC Network and SERVCON in\n   accordance with FIPS 199 and NIST SP 800-60.\nManagement\xe2\x80\x99s Response\nSecurity categorizations have been conducted on the FMC GSS and SERVCON\nsystems in accordance with FIPS 199 and NIST SP 800-60.\n\n\n6. Clearly identify the Certifying Agency, Designated Approving Authority, and system\n   owner in the FMC Network and SERVCON security plans and C&A documentation\n   in accordance with NIST SP 800-37.\nManagement\xe2\x80\x99s Response\nThe C&A letters have been corrected to clearly identify the Certifying Agent, Designated\nApproving Authority, and System Owner in the security plans and C&A documentation\nin accordance with NIST SP 800-37.\n\n\n7. Conduct complete risk assessments on the FMC Network and SERVCON. Define\n   accreditation boundaries. Ensure that risk assessments are complete in accordance\n   with NIST SP 800-30.\nManagement\xe2\x80\x99s Response\nRisk Assessments that define the accreditation boundaries have been completed for the\nFMC GSS and SERVCON systems in accordance with NIST SP 800-30.\n\n\n8. Complete security plans for the FMC Network and SERVCON in accordance with\n   NIST SP 800-18.\nManagement \xe2\x80\x98s Response\nSecurity plans have been completed for the FMC GSS and SERVCON systems in\naccordance with NIST SP 800-18.\n\n\n\n\n                                          22\n\x0c9. Standardize security categorizations across the FMC and SERVCON C&A\n   documents.\nManagement\xe2\x80\x99s Response\nSecurity categorizations have been standardized across all FMC GSS and SERVCON\nC&A document.\n\n\n10. Develop contingency plans for the FMC Network and SERVCON in accordance with\n    NIST SP 800-34 and NIST SP 800-53.\nManagement\xe2\x80\x99s Response\nAs part of the certification and accreditation process performed by IES, a contingency\nplan was developed for both the GSS and SERVCON systems that identify testing\nprocedures, frequency of testing, and the types of test to be performed. FMC will\nconduct a contingency plan test in the second quarter of FY 2010 using the contingency\nplan test process developed by IES for the FMC GSS and SERVCON systems and\ndocument the results in accordance with NIST SP 800-34 and NIST SP 800-53.\n\n\n11. Complete the FMC Network and SERVCON Authorization to Operate letters with the\n    correct information and titles.\nManagement\xe2\x80\x99s Response\n      Completed 10/16/09\n\n\nNotification of Finding # 4: FMC lacks an adequate Contingency Planning\nProgram, to include policies, procedures, testing, and documentation of testing.\nRecommendation(s)\nWe recommend OIT \xe2\x80\x93\n\n12. Develop a contingency plan policy and procedures that address the creation, review,\n    testing, and maintenance of contingency plans.\nManagement\xe2\x80\x99s Response\nFMC does not have documented contingency planning policies and procedures for\nidentifying the frequency of testing, types of testing, preparing and updating of\ncontingency documentation. The FMC has recently completed migrating from its\nprevious COOP site (Rack Space) to its new COOP site (Recovery Point) from which\nFMC participated in the Eagle Horizon contingency plan test. As part of the certification\nand accreditation process performed by IES, a contingency plan was developed for both\n\n\n                                           23\n\x0cthe GSS and SERVCON systems that identify testing procedures, frequency of testing,\nand the types of test to be performed.\n\n\n13. Test contingency plans and document results in accordance with NIST SP 800-34\n    and NIST SP 800-53.\nManagement\xe2\x80\x99s Response\nThe FMC Network contingency plan test (Eagle Horizon 2009) and results\ndocumentation does not adequately test or document the FMC Network and SERVCON\ncontingency plans. FMC will conduct a contingency plan test in the second quarter of\nFY 2010 using the contingency plan test process developed by IES for the FMC GSS\nand SERVCON systems and document the results in accordance with NIST SP 800-34\nand NIST SP 800-53.\n\n\nNotification of Finding # 5: FMC does not have an official system inventory.\nRecommendation(s)\nWe recommend OIT \xe2\x80\x93\n14. Complete and maintain an official system inventory of all FMC systems and\n    interfaces.\n\nManagement\xe2\x80\x99s Response\nThe FMC has inventoried the GSS and SERVCON systems using a process that\nconforms to NIST SP 800-53 rev 3, recommended Security Controls for Federal\nInformation Systems and Organizations control CM-8 as required during its\nrecertification of SERVCON in FY 2009.\n\n\nNotification of Finding # 6: The FMC Plan of Action & Milestones process needs\nimprovement.\nRecommendation(s)\nWe recommend OIT \xe2\x80\x93\n15. Develop an agency-wide POA&M process to include all systems, that meet OMB\n    requirements.\nManagement\xe2\x80\x99s Response\nAn agency wide POA&M process that meets OMB requirements has been implemented\nin regards to FMC\xe2\x80\x99s GSS and SERVCON systems.\n\n\n\n                                         24\n\x0c16. Complete the POA&M spreadsheets in accordance with current OMB and NIST\n    guidance and maintain evidence of the closure of each item.\nManagement\xe2\x80\x99s Response\nThe FMC acknowledges finding # 6 recommendation 16. The POA&M spreadsheets\nhave been completed in accordance with current OMB and NIST guidance. The\nsensitivity/criticality levels for the systems were corrected to correspond with the\nsensitivity/criticality levels reported in the Federal Information Processing Standards\n(FIPS) 199 for FMC Network and SERVCON. The FIPS 199 security categorization for\nthe FMC Network was reported as Confidentiality-High/ Availability-High/ Integrity-High.\nThe FIPS 199 security categorization for SERVCON was identified as Confidentiality-\nHigh/ Availability-Moderate/ Integrity-High during its recertification of SERVCON in FY\n2009.\n\n\nNotification of Finding # 7: The FMC Network Domain Administrator accounts are\nnot appropriately segregated and monitored.\nRecommendation(s)\nWe recommend OIT \xe2\x80\x93\n17. Change the password of the FMC Network Domain Administrator account and\n    physically secure the password so that it is only available for authorized and\n    documented network changes and/or emergencies.\nManagement\xe2\x80\x99s Response\nThe Office of Information and Technology, in conjunction with the CIO is in the process\nof developing a process by which every ninety days the Domain Administrator account\npassword is manually changed and physically secured in a designated location so it is\nonly available in authorized and documented network changes and/or emergencies in\naccordance with finding #7, recommendation 17. This process will be in place by the\nend of the first quarter of fiscal year 2010.\n\n\n18. Restrict the FMC Network Domain Administrator privileges to OIT staff whose job\n    functions require the access privileges; remove access for the ISSO to maintain\n    segregation of duties.\nManagement\xe2\x80\x99s Response\nAll Office of Information and Technology staff members that require elevated access\nprivileges have in addition to their regular user account, an account that is a member of\nthe Domain Admin group through which additional access rights are provided. These\naccounts were created to provide Office of Information and Technology staff the ability\nto perform their necessary job functions while providing accountability in regards to\n\n\n\n                                           25\n\x0cnetwork access and configuration changes. The ISSO has additional duties within the\nOffice of Information and Technology which requires additional access privileges.\n\n\n19. Document and implement policies and procedures (and if determined necessary\n    hardware and/or software) for the ISSO to monitor the actions of all the FMC\n    Network users, privileged users (super users) and domain administrator accounts.\nManagement\xe2\x80\x99s Response\nFMC Office of Information and Technology currently employs a process that captures\nthe server logs and moves them to a designated network location. The server/ Network\nlogs consist of application, security, and system logs and are kept for three years. The\nFMC based on recommendation finding # 7, recommendation 19 realize the need for a\nproactive network access monitoring process and will seek to identify a hardware or\nsoftware solution that will allow the ISSO the ability to receive alerts based on\npredetermined criteria relating to network access. This process will be in place by the\nend of the third quarter of fiscal year 2010.\n\n\n\n\n                                           26\n\x0c'